CVE-2023-28218
AFD WinSock — integer overflow in AfdCopyCMSGBuffer allows EoP
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Integer Overflow |
| Vulnerable Build | 10.0.22621.1344 (KB5023778) |
| Fixed Build | 10.0.22621.1555 (KB5025239) |
| Exploited ITW | No |
Affected Functions
AfdCopyCMSGBufferAfdGetConnectData
Root Cause
AutoPiff categorizes this as int_overflow with detection rules:
safe_size_math_helper_addedalloc_size_overflow_check_added
Exploitation
Patch Analysis
Detection
YARA Rule
rule CVE_2023_28218_AFD {
meta:
description = "Detects vulnerable version of afd.sys (pre-patch)"
cve = "CVE-2023-28218"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "afd.sys" wide ascii nocase
$vuln_build = "10.0.22621.1344" wide ascii
$func_copy_cmsg = "AfdCopyCMSGBuffer" ascii
$func_get_conn = "AfdGetConnectData" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and ($func_copy_cmsg or $func_get_conn)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-AFD | Socket buffer copy events | Detects abnormal CMSG buffer operations where computed allocation sizes wrap around due to integer overflow |
| Microsoft-Windows-Kernel-Audit | Pool allocation anomalies | Unusually small allocations followed by large copy operations indicate the integer overflow was triggered |
| Microsoft-Windows-Security-Auditing | Event ID 4672 (Special privileges assigned) | Post-exploitation privilege escalation after the wild copy achieves kernel memory corruption |
| Microsoft-Windows-Security-Auditing | Event ID 4688 (Process creation) | Process spawning with elevated token after socket-related syscall burst |
| Microsoft-Windows-Kernel-Process | Process token change | Detects token replacement following exploitation of the AFD integer overflow |
Behavioral Indicators
- A user-mode process issues rapid
WSARecvMsgorWSASendMsgcalls with control message (CMSG) buffers whose combined length fields are crafted to trigger an integer overflow inAfdCopyCMSGBuffer - The integer overflow causes a small pool allocation followed by a large memory copy (wild copy), corrupting adjacent kernel pool objects
- User-mode fault handling (UMFH) via
VirtualAlloc/VirtualProtecton the user buffer to control page fault timing during the wild copy, allowing precise corruption targeting - Anomalous socket creation and immediate
connect/recvpatterns from a process that does not normally perform network operations - Post-exploitation token swap: the exploiting process transitions from medium integrity to SYSTEM integrity without standard elevation mechanisms